Hi Guo, Even for HDFS I don't really need to set "security.kerberos.login.contexts" . As long as there is the right ticket in the ticket cache before starting the flink cluster it seems to work fine. I think even [4] from your reference seems to do the same thing. I have defined own ticket cache specifically for flink cluster by setting this environment variable. Before starting the cluster I create a ticket by using kinit. This is how I make flink read this cache. export KRB5CCNAME=/home/was/Jaas/krb5cc . I think even flink tries to find the location of ticket cache using this variable [1]. Do you see any problems in setting up hadoop security module this way ? And thanks a lot for your help.
[1] https://github.com/apache/flink/blob/master/flink-runtime/src/main/java/org/apache/flink/runtime/security/KerberosUtils.java Best, Nick On Thu, May 21, 2020 at 9:54 PM Yangze Guo <karma...@gmail.com> wrote: > Hi, Nick, > > From my understanding, if you configure the > "security.kerberos.login.keytab", Flink will add the > AppConfigurationEntry of this keytab to all the apps defined in > "security.kerberos.login.contexts". If you define > "java.security.auth.login.config" at the same time, Flink will also > keep the configuration in it. For more details, see [1][2]. > > If you want to use this keytab to interact with HDFS, HBase and Yarn, > you need to set "security.kerberos.login.contexts". See [3][4]. > > [1] > https://ci.apache.org/projects/flink/flink-docs-master/ops/security-kerberos.html#jaas-security-module > [2] > https://github.com/apache/flink/blob/master/flink-runtime/src/main/java/org/apache/flink/runtime/security/modules/JaasModule.java > [3] > https://ci.apache.org/projects/flink/flink-docs-master/ops/security-kerberos.html#hadoop-security-module > [4] > https://github.com/apache/flink/blob/master/flink-runtime/src/main/java/org/apache/flink/runtime/security/modules/HadoopModule.java > > Best, > Yangze Guo > > On Thu, May 21, 2020 at 11:06 PM Nick Bendtner <buggi...@gmail.com> wrote: > > > > Hi guys, > > Is there any difference in providing kerberos config to the flink jvm > using this method in the flink configuration? > > > > env.java.opts: -Dconfig.resource=qa.conf > -Djava.library.path=/usr/mware/flink-1.7.2/simpleapi/lib/ > -Djava.security.auth.login.config=/usr/mware/flink-1.7.2/Jaas/kafka-jaas.conf > -Djava.security.krb5.conf=/usr/mware/flink-1.7.2/Jaas/krb5.conf > > > > Is there any difference in doing it this way vs providing it from > security.kerberos.login.keytab . > > > > Best, > > > > Nick. >
